Small security firm puts spotlight on big vendor bugs

News earlier this week that Oracle Corp. was sitting on patches for 34 undisclosed vulnerabilities in its database software may have come as a surprise to some, but not to David Litchfield, the researcher who discovered the holes.

"In general, bugs are getting harder to find but in some people's software you don't have to look very hard to find bugs, they just fall apart in your hands ... like Oracle's," Litchfield said in an interview Thursday.

Software doesn't fall apart in everyone's hands, of course, but Litchfield and his team at Next Generation Security (NGS) Software Ltd., in Sutton, England, seem to have a knack for finding holes.

As of Thursday the security research company said that it had discovered 67 current undisclosed vulnerabilities in major vendors' software, on top of those found in Oracle's. The lion's share of those exist in enterprise applications and many are remotely exploitable, NGS said. Last year the firm discovered 97 vulnerabilities, according to Litchfield, who added that it was "a slow year."

NGS has made it its business to find holes and fixes, and claims to have delivered more security advisories than any other research firm worldwide. The company says it is not in the business of disclosing exactly where and in whose software unpatched vulnerabilities lie, as this would leave them open to exploitation by hackers.

Oracle's database vulnerabilities surfaced when Litchfield mentioned the problems during a presentation at the Black Hat security conference in Las Vegas last week. Litchfield said he told Oracle about the vulnerabilities in January and that although the software company prepared patches two months ago, it delayed releasing them because it was in the middle of introducing a new patch distribution system. Oracle released a statement saying that it takes its security very seriously, but declined to comment further on the matter for this article.

Litchfield was highly critical of Oracle's delay, but this is not the first time he has had a run-in with the company. Litchfield is credited with being the first researcher to discover vulnerabilities in Oracle's 9i database software after the company launched a marketing campaign touting it as"unbreakable."

In general, he has established the reputation of being a pro bug hunter, discovering the vulnerability of Microsoft Corp.'s SQL Server to the Slammer worm. He also found a number of crucial holes in the software maker's Internet Information Server (IIS).

To software vendors, Litchfield could potentially be seen as either a predator, constantly seeking to discover their weaknesses, or a best friend, someone who makes them aware of their vulnerabilities before they are compromised.

But either take on the affable 28-year-old seems ill-suited. Neither exuberant do-gooder or one clearly touched with schadenfreude, Litchfield seems to be what he says he is: a techy.

Before he turned his focus on bugs, Litchfield was interested in animals. At university he studied zoology but dropped out after seeing the 1995 movie "The Net," in which Sandra Bullock plays a computer analyst whose identity gets "deleted."